Today, Explained - Life's a breach
Episode Date: July 31, 2019Capital One got hacked. Equifax is trying to make up for its hack. And The Verge’s Russell Brandom explains why you should definitely prepare yourself for more hacks. Learn more about your ad choice...s. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Here's a question.
Do your career goals require you to take a standardized test like the GRE or the GMAT or the LSAT or the MCAT or the SAT?
Visit Magoosh.com and enter the promo code today for a 15% off discount for their test prep.
That's M-A-G-O-O-S-H dot com.
Russell Brandom, you're a policy editor at The Verge.
Monday night, the world found out about another huge 100 million plus data breach.
Could you tell the people what happened, Russell?
Yeah, so Capital One, you may know their credit card ads on TV.
What's in your wallet?
Or their arena in Washington, D.C.
Also, also very true.
So essentially, they were storing some data on Amazon Cloud Server.
Not unusual. And it turned out that it was sort of misconfigured.
More than 100 million Capital One credit card customers and applicants across the U.S. and
Canada have been affected by a massive data breach. This is one of the biggest breaches
of a financial institution ever. This is what they're saying. Yeah, I mean, it's sort of all
in how you look at it. There's data from more than 100 million credit applications, right? So this is sort of the thing that they mail to you and you mail back.
Yeah.
Capital One was quick to say that it wasn't that many social security numbers. There was only 140,000 U.S. social security numbers and 80,000 bank account numbers and about a million social insurance numbers,
which are sort of the Canadian equivalent of the social security numbers.
Don't I know.
I mean, that's still a lot of people, but it's not really as impressive as leading with
the 100 million thing.
Hmm.
So do we know who did this at all?
So a person has been charged with doing this, Paige Thompson.
Who's a former employee of Amazon Web Services,
they say she left an extensive digital footprint of her alleged crime on the internet, including
bragging about what she did online. She was just hosting it on GitHub, which is not usually what
hackers do in this situation. Like, usually you would kind of want to keep it secret and
have people pay you for it if you're trying to make lots of money. Is GitHub where, like,
all the hackers hang out?
No, GitHub is just sort of a boring place
where people put their coding projects
and anyone can go there.
So, I mean, when Capital One found out about this,
basically the email they got
in their responsible disclosure inbox was,
hey, look at this GitHub page.
And then it had a link to the GitHub page.
And I was like, that doesn't seem right.
But it was just sort of out there in the open. I feel like if she had had some nefarious purpose to it,
either we would have seen it anonymously out there with some manifesto or it would have been
sort of sold quietly in the sort of underground marketplaces where people will pay money for this
stuff. And so neither of those happened. It kind of raises questions about what her thought process was in doing this.
Surveillance video shows federal agents arriving to Paige Thompson's Beacon Hill home in Seattle early Monday morning.
The 33-year-old placed under arrest accused of hacking into Capital One's system.
How unusual is it to sort of apprehend a suspect so quickly after finding out something like this happened and for it to just be like a single hacker who maybe doesn't even have a real motive?
Well, often you just sort of don't know who it is.
Like, I think that's sort of the typical thing is that we'll say, well, you know, someone hacked Home Depot.
It was some person or some group of people and we don't really know.
And then someone else got a hold of people and we don't really know. And then someone
else got a hold of the same program and they hacked Target. And either they're doing it to a U.S.
area because they know that they're in Ukraine or Russia and they won't really be extraditable,
even if they find them, or they've taken some sort of more sophisticated effort to hide themselves.
But just finding this stuff on a public GitHub page that's directly connected to the person's name is pretty unusual.
Should it be concerning that this one person who maybe didn't even like want to do something nefarious didn't have a very hard time getting all of this information,
getting something like 106 million credit card applications?
Well, yeah.
I mean, so this is not supposed to happen.
Like, definitely this was a goof is the technical term.
That's what they call it in the business.
This is a goof?
That's what they call this?
This is a goof?
Yeah, it's a goof. I would say it was a major severe goof uh unprecedented goof
but also i mean i i wouldn't downplay her technical sophistication i mean she was
really pretty good at knowing the specific configurations and ways to exploit specific
other configurations and she had years earlier
actually worked at amazon which is one of the things people sort of have questions about of
did she have some special knowledge of how to do this but i mean very often people are just
bad at setting these things up and stuff just leaks out so maybe that should be more secure
maybe we should be taking a closer look at Capital One and sort of how they handle.
Maybe? Isn't it like definitely?
Yeah, definitely Capital One is in some trouble here. information and protect our money our credit our financial well-being that this stuff is
vulnerable and can just get easily and randomly hacked i mean yeah like like i think fundamentally
if you are filling out a form and you are submitting it to a large corporation, I mean any corporation, you should probably figure that that information
is potentially going to get out there.
The real concern is the social security numbers, because that is the raw material for identity
theft. And it's not just, oh, I have the social security number, I have the keys to the kingdom,
but okay, if I have a recent address from the person
and I know their full name
and I know their social security number
and I know a couple other things,
I can probably fill out a loan application
that no one will look too closely at
and maybe if I put in my address instead of their address,
they'll just figure the person moved. And, you know, credit card companies are always sort of looking out for this.
But at the same time, they don't want to make it too hard to apply for a credit card because that's
their business. And so, yeah, it's tricky. I mean, if we're trusting the banks and the
credit agencies to take care of our information and they're not, what can people do in the meantime to keep their information secure?
Actually, probably the best thing you can do is get a credit freeze that will just say, do not let anyone apply for anything in my name until I sort of call you up and give you these special four digits. The other thing you can do that's a little bit less intense
is you can just get credit monitoring,
where they'll look and they'll say,
oh, actually, this person just applied for a credit card
with a different address.
Was that you or was that not you?
And they'll sort of be watching more closely.
And that usually costs money,
but actually, if you were in one of the recent breaches,
they might be offering it for free.
Russell's talking about Equifax right now because right now, Equifax is facing the music for its big, huge breach from a few years ago.
The consequences for big corporations that don't take care of your personal information after the break. Back in my day, when you wanted to do test prep for one of these GMAT, GRE, LSAT, MCAT, SAT situations,
you had to like go somewhere to a class. But with Magoosh, you got some other options. At
Magoosh.com, you get all your practice questions, your study schedules, you get video lessons and
access to an expert tutor team if you need extra help. And if you're retaking a test, Magoosh offers a score improvement guarantee.
If you don't improve, you get your money back.
At Magoosh.com, study materials are always up to date
and super relevant to the questions you'll see on the actual tests.
And guess what? Students who have used Magoosh love it.
Find out for yourself over at Magoosh love it. Find out for yourself over
at Magoosh.com. The promo code today gets you 15% off. That's M-A-G-O-O-S-H.com and the promo code
today for a 15% off discount at Magoosh. I just like saying Magoosh. That's the trush.
Russell, one of these big data breaches kind of came to a head last week when people found out that, hey, they could type their name and information into some website and maybe get
some money back for one of these breaches. This was Equifax.
What happened in that case?
Equifax is one of the companies that's doing the credit monitoring and the credit freezes.
They're sort of maintaining the credit information on anyone who's applying for credit.
In 2017, they announced that they'd had a data breach of 147 million people.
And it was very, very bad.
And so in the years since that, the FTC, the Federal Trade Commission, has been suing them
and sort of trying to make the American consumer whole as sort of a just compensate the people
who were part of that, which is basically everyone.
And so that happened.
Like they finally got the settlement.
It came in.
There's a website, equifaxbreachsettlement.com,
where you can sort of put in the last six digits
of your social security number
because you shouldn't be, as we covered earlier,
you shouldn't be putting your social security number
into random websites.
But yeah, so you can go to that site.
If you were in the breach, you're entitled to compensation
and it'll give you this kind of choice
about how you want that compensation to work.
What's the choice?
What do you actually get?
So either you can get the credit monitoring, which conveniently Equifax is in the business of providing.
Wait, as an apology for letting all of your information out into the open, they will monitor your credit for you for free?
Yeah, I mean, it's not like as an apology, it's like if I like hit your car and they
crushed up the bumper and I would be like, you know what? New bumper on me. And it's not like
you're supposed to be happy about it, but you're supposed to be like, okay, that was,
that's good enough. Like fair. But isn't it kind of not like that because it's like if you borrowed my car and like broke it and then you were like let me continue to
borrow your car but not break it it feels more like that well if i fix it and i tell you that
i fixed it and maybe the bumper that i get you isn't exactly the same color as the rest of your car so you still notice it but it's better than
like a crushed bumper and you know that you're not really gonna get anything better from me
then you would sort of you would like sigh heavily and accept it yeah i guess like if i have no other
option because i can't afford a new car because you've ruined my life, then like, yeah.
And you can't like afford a functional consumer protection agency, right?
Like who are you going to go to?
Consumer Financial Protection Bureau?
Like I got some bad news.
So, okay.
So that's one option.
Great.
Okay. option great okay so the option that has taken on a little bit more hype is 125 dollars which
people saw on the internet and lost their minds everyone was just like smash that 125 dollars
button is that because it like sort of feels like free money to people who haven't felt the actual
tangible effects of having their information
breached? I think that's part of it. I think the other thing is that like,
people are broke. It's hard out there. Like it's bad. I mean, I'm in New York. I don't know what
it's like in DC, but if I walked out on the street and I was like, Hey, I want you to do something. Here's $125. It's nuts.
Are you saying there's a lot of things you would do for $125?
Well, not me. I'm a wealthy blogger.
Sure, sure, sure, sure, sure, sure, sure.
You know, so yeah, $125 for this thing that already happened to you and you didn't even notice.
People are all about it. Is there a chance that people don't get $125 if, say, like a ton of people sign up for the settlement, though? Yeah. So there's 147 million people were affected. Their estimate is that a
little under a quarter of a million people will sign up. And if that's the number of people, then they'll get
$125 each. But if a million people get the money, then they get $31. And it sort of keeps going down
to the point where if absolutely every single person signs up, they get 21 cents. What? 21 cents? Does a company like Equifax even feel pain here? I mean,
on one hand, it's 21 cents to $125 at most. And on the other, it's people choosing like,
yeah, monitor my credit for free, in which case all they have to really do is provide a service
they already provide and probably coax you into paying for the service eventually for some people.
I mean, are they hurting after losing everyone's information?
Do any of these companies hurt after losing your personal information?
Well, everybody hurts.
I think they probably aren't hurting as much as they should be. Like, for me, I look at this and I think, why does this company even exist after this?
Their only job was collecting and storing and safely disseminating financial information.
So if they can't protect it, why let them handle it at all?
Yeah.
What's the answer to that question?
Well, I mean, because they're a business and we don't like shutting down businesses for consumer protection reasons in this country.
Like if you want to sort of get a political cause out of it, we need to empower the FTC to be harder on these companies and sort of be a more powerful and fearful agency so that when they're in this situation, they can really make these things hurt as much as they should. Because, I mean, fundamentally, I think it's still worse for the people who got breached than it was for Equifax.
And they weren't even intentionally in a relationship with Equifax.
They didn't decide to buy something from Equifax.
Equifax was just collecting their information ambiently because that's what it does.
The problem is that the breach happened in the first
place and how can we make the penalty significant enough that it doesn't happen in the future like
that's the long-term thing people weren't like meaningfully damaged that much it's really just
this is an insane system and how can we make the fine big enough that it
makes people try to make the system better.
Russell Brandom, as you know, is a wealthy blogger at The Verge.
I'm Sean Ramos for him. This is Today Explained. Thanks to Magoosh for supporting the show today.
Again, Magoosh.com with the promo code today is the place to get a 15% off discount.
The Magoosh online test prep, which helps you study anywhere, anytime on your desktop or on mobile.
M-A-G-O-O-S-H dot com.